Sunday, August 2, 2009

Is your information secure? A basic security test for every website you join #security #hacking

There's no doubt about it: our personal information is moving to the cloud. From Twitter and Facebook to our online banking account, almost everything about us is stored in a database somewhere online. But how secure is your information and how easy would it be for a hacker to get to it under the right circumstances? Here's a basic security test I put every website I join through and it's easy enough where anyone with about 5 minutes can do it as well:

After signing up to a new website, log out and go to the "forgot password" link. Almost every website has one and they usually only require you to put in your email address to have a password or password reminder sent to you. Go through the process and request your password. Then, wait to see what you get in your email.

Some websites, if not most, will send you either a password reminder or a link to completely reset your password to something new. But others, and there's a huge number of these like PlentyOfFish, MocoSpace, and others, who will just happily send you your password in your email.

That is a website that has just failed a security test.

By sending you your password, it shows that it's not stored in an encrypted form in their database. So anyone who breaks into their site has access to, not only everyone's personal information, but also their site password. Since many people use the same password for almost everything, getting one site password could lead to them having access to your email address, other sites you belong to, and even your online banking account. Additionally, they could use new information gained from breaching your other accounts to extend their reach into your life and, eventually, steal your identity.

I've closed many of my online accounts after they've failed this test. I usually send the site administrators an email telling them I am closing my account and detailing why. It shows that they aren't concerned about security and they are taking the laziest way of developing their site. If they don't put any thought into the user-facing side of security - the part hackers are going to attack on - how much can they really be putting on the non-user facing side that nobody is supposed to see?

It's time sites take our security seriously. Wake up administrators! We're watching you

1 comment:

HighTechRider said...

Totally agree, any website that can send your password back to you is off my list too.

TheRegister.com loves to whine about security flaws but their own website fails this test.